On May 25, 2018, the European Union began to enforce its General Data Protection Regulation (GDPR), which aims to comprehensively protect data privacy by addressing how companies collect, store, and process personal data. The GDPR was adopted by the European Parliament and European Council in April 2016, following over four years of discussions regarding how to structure the complex law. The two-year delay in enforcement was primarily to allow businesses time to comply with the new law.

The GDPR has 99 articles that provide the rights of individuals and businesses related to personal data. Specifically, the GDPR increases individual control over personal data and impacts how businesses can utilize personal data, where personal data is broadly interpreted to mean any information used to identify a person (name, address, political views, sexual orientation, etc.). For example, Article 20, the right to data portability, allows individuals to receive their personal data provided to a controller and transmit such data from one controller to another controller.

Though the GDPR is an enforceable regulation only in the EU, it has an impact on large U.S. companies that monitor individuals or offer goods or services in the EU. Such U.S. companies must be compliant with the GDPR or they will be subjected to fines up to $24.5 million or 4% of their global annual revenue for the previous financial year. Despite the GDPR’s far-reaching effect on U.S. companies, it does not afford protection to individuals in the U.S. This is particularly significant as the U.S. currently lacks a comprehensive data privacy law or legal equivalent to the GDPR.

At the federal level, the U.S. has implemented sectoral legislation as specific issues of privacy arise due to the development of new technologies. Over time there have been many data privacy laws enacted including, but not limited to, the Cable Communications Policy Act (CCPA) relating to privacy protection for cable subscribers, the Gramm-Leach-Billey Act (GLBA) protecting access to personal financial and banking information, and the Health Insurance Portability and Accountability Act (HIPAA) promoting privacy of health and medical information. These varied privacy laws apply to specified sectors and are enforced by different agencies.

At the state level, there are divergent approaches to data protection. All fifty states have passed legislation requiring notification when personal data is breached or comprised, but these laws vary in terms of types of personal information and entities that are covered and what is considered a breach. California and Delaware have both enacted statutes related to children’s online privacy, but the two statutes vary in how they protect privacy related to online services that market or advertise specified content to children.

Beyond the complex, hodge-podge approach to data privacy law at both the federal and state level, data privacy is further complicated by industry group guidelines. Many industry groups issue guidelines which are considered to be the preferred mode of practice and often adopted by industry players (despite the fact that they are not legally binding). For example, many players in the automobile industry voluntarily adopted principles created by the Alliance of Automobile Manufacturers and the Association of Global Automakers, which were designed primarily to disclose information about the collection and use of personal data.

The U.S. may consider replacing these complex rules with comprehensive federal regulations. However, adopting and enforcing a GDPR-like, all-inclusive privacy regulation could prove difficult.

U.S. Adoption and Enforcement of a Comprehensive Data Privacy Law

Adopting a comprehensive data privacy regulation would require moving legislation through Congress. Any privacy regulation of this complexity and impact would present complications in the legislative approval process and would likely have a lengthy legislative road.

If a comprehensive regulation were successfully adopted, then there would likely be further obstacles related to enforcement. Specifically, enforcement would require an enforcement agency capable of ensuring compliance for such a complex privacy regulation. There are several, distinct agencies that currently enforce the sectoral privacy laws of the U.S., such as the Federal Trade Commission (FTC), Department of Commerce, and Department of Health and Human Services (HHS). However, these agencies have specific expertise and may not have the infrastructure to enforce such a broad privacy regulation.

Perhaps interest from the general public, lobbying groups, and/or large technology companies could be enough to tackle the obstacles in adopting and enforcing a comprehensive federal privacy law. It appears that representatives of leading technology companies are not only amenable to federal regulations on data privacy, but are actively pushing Congress to adopt such regulations. In September 2018, privacy representatives from Amazon, Apple, AT&T, Charter, Google, and Twitter urged Congress to preempt state regulations and implement a federal privacy regulation. These industry players may be willing to adopt industry regulation for a variety of reasons. Large U.S. companies with a digital presence in the EU are already expected to be compliant with the GDPR or pay a fine, so these companies likely have the infrastructure created to comply with a similar U.S. law. Many of these large companies have recently been connected to data privacy breaches which have brought into light their data collecting abilities. Further, these technology companies may be attempting to preempt patchwork state laws. For example, in 2018, California passed the California Consumer Privacy Act (CCPA) which requires businesses to disclose information regarding the storage of personal data. Other states are similarly adopting data privacy laws and the varying state law regulations may prove more difficult for industry compliance than one comprehensive federal law.